How do I serve a LetsEncrypt certificate for requests lacking SNI?

tecywiz121 · January 5, 2024, 6:28pm

I'm setting up a little home server using docker compose, and I'm using traefik to terminate my SSL connections/request certificates from Let's Encrypt. For the most part, this is working great, so thanks for building this!

One client does not send SNI when making the connection to my traefik container. Don't ask me why, I'm not sure. What I'd like to do is have Traefik default to the example.com certificate when it receives a request without SNI, instead of the Traefik default certificate.

The documentation suggests defaultGeneratedCert, but I can't figure out where to put the labels in my docker-compose.yml.

Here's what I have so far:

services:
  reverse-proxy:
    # The official v2 Traefik docker image
    image: traefik:v2.10
    restart: unless-stopped
    # Enables the web UI and tells Traefik to listen to docker
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
      - "--log.level=DEBUG"
    labels:
      - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
      - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.com"
      - traefik.http.routers.traefik-secure.tls=true
      - traefik.http.routers.traefik-secure.tls.domains[0].main=example.com
      - "traefik.http.routers.traefik-secure.tls.certresolver=myresolver"
      - traefik.enable=true
    ports:
      # The HTTP port
      - "443:443"
      - "80:80"
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/files:/letsencrypt

Thanks for any help!

Similar topics I've read:

bluepuma77 · January 6, 2024, 11:53am

Check ACME Default Cert (doc).

tecywiz121 · January 6, 2024, 3:59pm

Yep! That's where I started. You'll note that I've added those labels to my docker-compose.yml file:

They just don't seem to do anything. I'm assuming I have them in the wrong place?

bluepuma77 · January 6, 2024, 6:40pm

Looks according to doc:

## Dynamic configuration
labels:
  - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
  - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
  - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"

Do you get LE certs at all?

tecywiz121 · January 6, 2024, 6:55pm

Yep! My other containers get LE certs.

Topic		Replies	Views
Letsencypt as the traefik default certificate Traefik v2 (latest) docker , letsencrypt-acme	0	699	March 17, 2021
ACME Default Certificate does not work Traefik v2 (latest) docker , letsencrypt-acme	1	116	February 8, 2024
Traefik serving default certificate instead letsencrypt Traefik v2 (latest) docker , letsencrypt-acme	5	4803	April 30, 2023
Traefik issues default certificate Traefik v2 (latest) docker , letsencrypt-acme	13	2225	June 19, 2023
Problems with Let's Encypt Certificate Generation Traefik v2 (latest) letsencrypt-acme	0	371	November 14, 2021

How do I serve a LetsEncrypt certificate for requests lacking SNI?

Related Topics